Opened 20 months ago

Closed 6 months ago

#27863 closed New feature (fixed)

Implement "SameSite" flag for session and CSRF cookies

Reported by: Alex Gaynor Owned by: Paweł Krawczyk
Component: HTTP handling Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

SameSite is a mechanism for telling browsers not to send a cookie on requests with a different origin. It's not yet widely supported to the point of being the only CSRF protection (http://caniuse.com/#feat=same-site-cookie-attribute), but at 50% global deployment, it'd be very useful for Defense in Depth.

https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00

I believe simply adding SameSite=lax to the session cookie is all that'd be required to get this protection, and I don't think there'd be any backwards compatibility concerns (<---- almost certainly not this simple).

Change History (7)

comment:1 Changed 20 months ago by Alex Gaynor

Note: this requires a change to the stdlib cookies module: https://github.com/python/cpython/pull/214 I suspect with some hackery this can be worked around in Django though.

comment:2 Changed 18 months ago by Paweł Krawczyk

Owner: changed from nobody to Paweł Krawczyk
Status: newassigned

This can be implemented in HttpResponse.set_cookie() alone. I have just sent a pull-request on GitHub for that.

comment:3 Changed 18 months ago by Paweł Krawczyk

Has patch: set

comment:4 Changed 18 months ago by Paweł Krawczyk

Version: 1.10master

comment:5 Changed 18 months ago by Simon Charette

Component: contrib.sessionsHTTP handling
Needs documentation: set
Needs tests: set
Patch needs improvement: set
Summary: Implement "SameSite" flag for session cookiesImplement "SameSite" flag for session and CSRF cookies

comment:6 Changed 6 months ago by Tim Graham

Needs documentation: unset
Needs tests: unset

New PR (still needs some work)

comment:7 Changed 6 months ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In 9a56b4b1:

Fixed #27863 -- Added support for the SameSite cookie flag.

Thanks Alex Gaynor for contributing to the patch.

Note: See TracTickets for help on using tickets.
Back to Top